This invention relates to distributed computing systems and more particularly to a system and method for managing the distribution of bandwidth at an endpoint of a distributed computing network.
Distributed data processing networks with thousands of nodes, or endpoints, are known in the prior art. The nodes can be geographically dispersed and the computing environment managed in a distributed manner with a plurality of computing locations running distributed kernels services (DKS). The managed environment can be logically separated into a series of loosely connected managed regions in which each region has its own management server for managing local resources. The management servers coordinate activities across the network and permit remote site management and operation. Local resources within one region can be exported for the use of other regions in a variety of manners.
Managed regions within a highly distributed network may attempt to incorporate fault-tolerance with firewalls that attempt to limit any damage that might be caused by harmful entities. A firewall can prevent certain types of network traffic from reaching devices that reside on the xe2x80x9cotherxe2x80x9d side, beyond the firewall. For example, a firewall can examine the frame types or other information of incoming data packets (i.e., so-called xe2x80x9cpacket sniffingxe2x80x9d) and decide to stop certain types of information that has previously been determined to be harmful, such as virus probes, pings, broadcast data, etc. Another use of such firewalls is to influence the distribution of bandwidth by denying access to certain types of communications which may unnecessarily consume needed bandwidth. Yet another role of a firewall is to prevent outside entities"" attempts to breach an internal network (or network devices located beyond the firewall) to steal information and/or attack (i.e., xe2x80x9chackxe2x80x9d) the network. While existing firewalls can prevent certain entities from obtaining information from the protected network devices, firewalls can simultaneously present a barrier to the operation of legitimate, useful processes.
A firewall typically comprises a static dedicated piece of code that operates by using a dedicated port. Each software component communicates with another component by knowing the dedicated port number of the other component. However, memory and other system constraints can eventually limit the number and the management of dedicated ports, and the dynamic reconfiguration of port numbers can be quite difficult. Another drawback to the static firewall system which is executed at the device driver level (i.e., the packet sniffing type firewall) is that the component must necessarily look at every packet which traverses that port. Given the quantity of communications in vast distributed networks, the analysis of every data packet can be an overwhelming task. If communications could be screened based on protocol, a significant amount of packet analysis could be foregone.
Yet another drawback to the presently available firewall technology is that it provides a xe2x80x9cyesxe2x80x9d or xe2x80x9cnoxe2x80x9d approach to evaluating communications, whereby usage is either permitted or denied. There exists no mechanism today for a performance-based analysis of network communications at a firewall in order to allow continued usage provided that the bandwidth being consumed is within predetermined limits.
It is desirable, therefore, and is an object of the present invention, to have a method and apparatus for providing a performance-based firewall in a distributed network environment.
Another object of the present invention is to provide a firewall which can dynamically influence distribution of bandwidth in a network.
Yet another object of the present invention is to provide a firewall at the protocol layer rather than the packet layer.
The foregoing and other objects are realized by the present invention wherein a method and apparatus are disclosed for implementing a performance-based firewall at the protocol layer. Application Action Objects (AAOs) are created for requesting applications and are mapped to specific protocol events. Each AAO is then used as a Usage Based Firewall (UBF) to monitor all usage of the protocol at the endpoint identified by the application, thereby acting as a performance-based, protocol layer firewall for communications at that endpoint. A responsible logical gateway monitors the AAO and reports AAO activity to a UBF Manager at a control server to direct the AAO regarding continued usage based on bandwidth considerations.